**Copyright (c) 2020-2022 OpenAtom OpenHarmony. All rights reserved.**
## Copyright
All copyrights of the OpenHarmony documents are reserved by OpenAtom OpenHarmony.
The OpenHarmony documents are licensed under Creative Commons Attribution 4.0 International (CC BY 4.0). For easier understanding, you can visit [Creative Commons](https://creativecommons.org/licenses/by/4.0/) to get a human-readable summary of the license. For the complete content, see [Creative Commons Attribution 4.0 International Public License](https://creativecommons.org/licenses/by/4.0/legalcode).
## Trademarks and Permissions
No content provided in the OpenHarmony documentation shall be deemed as a grant of the approval or right to use any trademark, name, or logo of the OpenAtom Foundation and OpenAtom OpenHarmony. No third parties shall use any of the aforementioned trademarks, names, or logos in any way without explicit prior written permission of the OpenAtom Foundation.
## Disclaimer
The information in the OpenHarmony documents is subject to change without notice.
The OpenHarmony documents are provided without any express or implied warranty. In any case, the OpenAtom Foundation or the copyright owner is not liable for any direct or indirect loss arising from the use of the OpenHarmony documents, regardless of the cause or legal theory, even if the OpenHarmony documents have stated that there is a possibility of such loss.
## How Do I Create PRs at the Same Time If Multiple Code Repositories Have Compilation Dependencies?<a name="section169732563435"></a>
## How Do I Create PRs at the Same Time If Multiple Code Repositories Have Compilation Dependencies?
During the development of the operating system \(OS\), it is common that multiple code repositories have compilation dependencies. Therefore, the PRs need to be created and merged at the same time. For this reason, Gitee uses issues as the association identifiers for code repositories with dependency dependencies to commit the PRs. Follow the operations below:
...
...
@@ -8,11 +8,11 @@ During the development of the operating system \(OS\), it is common that multipl
2. Associate PRs need to be built and merged at the same time with the issue. For details, visit [https://gitee.com/help/articles/4142](https://gitee.com/help/articles/4142).
3. After the build is triggered, the build center identifies the PRs associated with the same issue, downloads the build, and merges the PRs into the code library after the code is approved.
This noncompliant code example uses an external class name to directly construct an object through reflection. An ill-intentioned user can construct a malicious `BaseClass` subclass object, take control over a `BaseClass` subclass, and execute arbitrary code in the `doSomething()` method of the subclass. An ill-intentioned user can further use the code to execute the default constructor of any class. Even if an`ClassCastException` is thrown in class conversion, the code in the constructor is executed as expected by the ill-intentioned user.
This noncompliant code example uses an external class name to directly construct an object through reflection. An ill-intentioned user can construct a malicious `BaseClass` subclass object, take control over a `BaseClass` subclass, and execute arbitrary code in the `doSomething()` method of the subclass. An ill-intentioned user can further use the code to execute the default constructor of any class. Even if a `ClassCastException` is thrown in class conversion, the code in the constructor is executed as expected by the ill-intentioned user.
@@ -32,7 +32,7 @@ The style consistency principle is preferred in the following situations:
**Example:**`username`,`account`
#### Rule 1.2 Use abbreviations as few as possible, except for common words or professional words. For example, `context` can be shortened to `ctx`, `request` can be shortened to `req`, and `response` can be shortened to `resp`.
**Note:** Complete spelling of words can avoid unnecessary misunderstanding.
**Exceptions:** The variable name of the cyclic condition can be ` i` or ` j` in the cyclic language.
...
...
@@ -329,7 +329,7 @@ console.log(`${username}'s birthday is ${birthday}`);
**Example:**
```javascript
letmessage='wolrd';
letmessage='world';
console.log(message);
```
...
...
@@ -337,7 +337,7 @@ console.log(message);
#### Rule 3.1 When declaring a variable, use the keyword `var`, `let`, or `const` to prevent the variable from being exposed to the global scope.
**Note:** If the keyword `var`, `let`, or `const` is not used to declare a variable, the variable will be exposed to the global scope, which may overwrite the variable with the same name in the global scope. As a result, the GC cannot effectively reclaim the memory. In addition, when a variable contains sensitive information, exposuring to the global scope may result in information leakage. ** Use `const` instead of `var` for all references; Use `let` instead of `var` if you need a variable reference.** Because the scope of `const` and `let` is smaller, writing code is easier to control. Const ensures that the reference cannot be re-assigned. The pointer referenced by const is immutable, and an error will be reported during re-assignment, avoiding overwriting.
**Note:** If the keyword `var`, `let`, or `const` is not used to declare a variable, the variable will be exposed to the global scope, which may overwrite the variable with the same name in the global scope. As a result, the GC cannot effectively reclaim the memory. In addition, when a variable contains sensitive information, exposing to the global scope may result in information leakage. ** Use `const` instead of `var` for all references; Use `let` instead of `var` if you need a variable reference.** Because the scope of `const` and `let` is smaller, writing code is easier to control. Const ensures that the reference cannot be re-assigned. The pointer referenced by const is immutable, and an error will be reported during re-assignment, avoiding overwriting.
Leave at least one space between the code and the comment on the right. No more than four spaces is recommended.
Leave at least one space between the code and the comment on the right. No more than four spaces are recommended.
You can use the extended Tab key to indent 1-4 spaces.
...
...
@@ -1561,7 +1561,7 @@ Note: Whether to declare the pointer parameter as `const` depends on the functio
### Rec 5.6 Include no more than 5 parameters in a function.
If a function has too many parameters, the function is easy to be affected by changes in external code, hindering maintenance. Too many function parameters will also increases the workload for testing.
If a function has too many parameters, the function is easy to be affected by changes in external code, hindering maintenance. Too many function parameters will also increase the workload for testing.
The number of parameters in a function must not exceed 5. If the number of parameters exceeds 5, consider the following:
...
...
@@ -2029,7 +2029,7 @@ However, due to invalid initialization, the defect of placing "UseData" before "
Therefore, simple code should be written to initialize variables or memory blocks as required.
The C99 does not limit the definition position of local variables to before the first statement in a function. That is, a variable can now be defined close to a variable.
The C99 does not limit the definition position of local variables before the first statement in a function. That is, a variable can now be defined close to a variable.
This concise approach not only limits the scope of the variable scope, but also solves the problem of how to initialize the variable when it is defined.
...
...
@@ -2080,7 +2080,7 @@ if (v < MAX) ...
There are special cases: for example, the expression `if (MIN < v && v < MAX)` is used to check for a range. This first constant should be placed on the left.
You do not need to worry about accidentally writing '==' as '=' because a compilation alarm will be generated for `if (v = MAX)` and an error will be reported by other static check tools. Use these tools to solve such writing errors and ensure that that code is readable.
You do not need to worry about accidentally writing '==' as '=' because a compilation alarm will be generated for `if (v = MAX)` and an error will be reported by other static check tools. Use these tools to solve such writing errors and ensure that code is readable.
### Do not reference a variable again in an expression containing an increment (++) or decrement (--) operator.
@@ -4,25 +4,25 @@ With reference to industry standards and best practices, this document provides
## 1\. Access Channel Control
1-1 To prevent unauthorized access to the system and resources, all system management interfaces unless otherwise specified by standards protocols must be provided with access control mechanisms (enabled by default)
1-1 To prevent unauthorized access to the system and resources, all system management interfaces unless otherwise specified by standards protocols must be provided with access control mechanisms (enabled by default).
**Description**: To reduce the attack surface of the system, authentication mechanisms must be enabled for system management interfaces (including those used for configuration, upgrade, and commissioning) to prevent unauthorized access.
1-2 All external connections of the system must be necessary for system operation and maintenance. All unnecessary connections and ports must be disabled
1-2 All external connections of the system must be necessary for system operation and maintenance. All unnecessary connections and ports must be disabled.
**Description**: Disabling unnecessary communication ports can greatly reduce security threats and is a basic means of system security protection.
## 2\. Application Security
2-1 The session ID and user permission must be verified for each access request if authorization is required
2-1 The session ID and user permission must be verified for each access request if authorization is required.
**Description**: It is a means to prevent unauthorized access.
2-2 User authentication must be conducted on the server since it may be easily bypassed if being conducted on the client
2-2 User authentication must be conducted on the server since it may be easily bypassed if being conducted on the client.
## 3\. Encryption
3-1 Use verified, secure, and open encryption algorithms
3-1 Use verified, secure, and open encryption algorithms.
**Description**: The security of an algorithm does not mean its confidentiality.
...
...
@@ -41,9 +41,9 @@ The following are examples of insecure cipher algorithms:
MD5, DES, 3DES (Do not use 3DES in TLS/SSH, and ensure K1≠K2≠K3 in non-cryptographic protocols), HMAC-SHA2-256-96, HMAC-SHA1-96, HMAC-MD5, HMAC-MD5-96, SSH CBC, anonymous algorithm suites, DH512, DH1024, SKIPJACK, RC2, RSA (1024 bits or shorter), MD2, MD4, Blowfish, RC4
3-2 Do not use algorithms for error control coding, such as parity check and CRC, to perform integrity check, unless otherwise specified in standard protocols
3-2 Do not use algorithms for error control coding, such as parity check and CRC, to perform integrity check, unless otherwise specified in standard protocols.
3-3 Cipher algorithms must use cryptographically secure random numbers for security purposes
3-3 Cipher algorithms must use cryptographically secure random numbers for security purposes.
**Description**: The use of insecure random numbers may easily weaken a cipher algorithm or even render it ineffective.
...
...
@@ -56,35 +56,35 @@ The following interfaces can be used to generate secure random numbers:
-**java.security.SecureRandom** of the JDK
-**/dev/random** file of Unix-like platforms
3-4 By default, use secure cipher algorithms and disable/prohibit insecure cipher algorithms. Use cipher algorithm libraries that are certified by authoritative organizations, recognized by open-source communities in the industry, or assessed and approved by OpenHarmony
3-4 By default, use secure cipher algorithms and disable/prohibit insecure cipher algorithms. Use cipher algorithm libraries that are certified by authoritative organizations, recognized by open-source communities in the industry, or assessed and approved by OpenHarmony.
**Description**: In the context of advances in cryptographic technologies and enhancement in computing capabilities, some cipher algorithms may become insecure. Using such algorithms may bring risks to user data. In addition, unknown flaws may exist in cipher algorithms that are developed by amateurs and not analyzed/verified by the industry. In this regard, use cipher algorithm libraries that are certified by authoritative organizations, recognized by open-source communities in the industry, or assessed and approved by OpenHarmony.
**Example**: See 3-1.
3-5 The GCM mode is preferred when block cipher algorithms are used
3-5 The GCM mode is preferred when block cipher algorithms are used.
3-6 The OAEP padding scheme is preferred when RSA is used for encryption
3-6 The OAEP padding scheme is preferred when RSA is used for encryption.
**Description**: PKCS1 padding has been known to be insecure in the industry and academic field. If OAEP padding is not used, attackers can easily decrypt the ciphertext.
3-7 Do not use private keys to encrypt sensitive data when asymmetric encryption is used for protecting data confidentiality
3-7 Do not use private keys to encrypt sensitive data when asymmetric encryption is used for protecting data confidentiality.
**Description**: Using private key for encryption cannot ensure data confidentiality.
3-8 Use different key pairs for asymmetric encryption and signing
3-8 Use different key pairs for asymmetric encryption and signing.
3-9 Use the sign-then-encrypt mode when both symmetric encryption and digital signature are required. Check the order in which cipher algorithms are called, and do not sign cipher text hashes (i.e., do not perform private key operations on cipher text hashes)
3-9 Use the sign-then-encrypt mode when both symmetric encryption and digital signature are required. Check the order in which cipher algorithms are called, and do not sign cipher text hashes (i.e., do not perform private key operations on cipher text hashes).
**Description**: If a cipher text is signed (i.e., the cipher text hash is signed), attackers can obtain the cipher text hash (also the cipher text) through network sniffing. In this case, attackers can tamper with the ciphertext signature
**Description**: If a cipher text is signed (i.e., the cipher text hash is signed), attackers can obtain the cipher text hash (also the cipher text) through network sniffing. In this case, attackers can tamper with the ciphertext signature.
3-10 If the public keys received from peers during key exchange using the DH algorithm are special public keys 0, 1, p-1, or p, negotiation must be performed again
3-10 If the public keys received from peers during key exchange using the DH algorithm are special public keys 0, 1, p-1, or p, negotiation must be performed again.
**Description**: If the public keys received from peers during key exchange using the DH algorithm are special key values, the negotiated keys must also be known values. In this case, attackers may easily decrypt the cipher text within five attempts.
3-11 In SSL and TLS protocols, if DH or ECDH algorithm is used for key exchange, use the cipher suite that contains DHE or ECDHE key exchange algorithm to achieve perfect forward secrecy; do not use the cipher suite that only contains DH/ECDH
3-11 In SSL and TLS protocols, if DH or ECDH algorithm is used for key exchange, use the cipher suite that contains DHE or ECDHE key exchange algorithm to achieve perfect forward secrecy; do not use the cipher suite that only contains DH/ECDH.
3-12 Do not use truncated message authentication codes (MACs) in cryptographic protocols
3-12 Do not use truncated message authentication codes (MACs) in cryptographic protocols.
**Description**: In cryptographic protocols (such as TLS, SSH, and IKE), MACs are usually used to verify the integrity of messages. Some protocols support truncated MACs. Truncation reduces MAC security. For example, SLOTH attacks against multiple cryptographic protocols (such as TLS and SSH) may craft collisions using truncated hash values.
...
...
@@ -102,19 +102,19 @@ The standard output lengths of HMAC-MD5-96, HMAC-SHA1-96, and HMAC-SHA2-256-96 c
- SHA-512/224/HMAC-SHA-512/224: The standard output length is 224 bits.
- SHA-512/256/HMAC-SHA-512/256: The standard output length is 256 bits.
3-13 When HMAC is used for data integrity protection, do not use the calculation result of hash(key\|\|message) or hash(message\|\|key) as the MAC value
3-13 When HMAC is used for data integrity protection, do not use the calculation result of hash(key\|\|message) or hash(message\|\|key) as the MAC value.
**Description**: Attackers may add any information to the end of the original plaintext information to compromise data integrity.
3-14 Use different symmetric keys for data encryption and MAC calculation in the same transaction
3-14 Use different symmetric keys for data encryption and MAC calculation in the same transaction.
**Description**: If the same key is used for data encryption and MAC calculation, key exposure creates vulnerabilities for attackers to tamper with confidential information.
3-15 Do not use fixed IVs (for example, IVs hard-coded or fixed in configuration files) for encryption
3-15 Do not use fixed IVs (for example, IVs hard-coded or fixed in configuration files) for encryption.
**Description**: The randomness of IV in CBC mode ensures the generation of different cipher texts based on the same piece of data in plain text and key. If such randomness cannot be ensured, attackers can easily replace the cipher text. For other block cipher modes, such as OFB and CRT, attackers can easily decrypt the cipher text.
3-16 Do not select anonymous authentication, non-encryption, weak authentication, weak key exchange, weak symmetric key algorithms, or weak message authentication algorithm cipher suites in cryptographic protocols
3-16 Do not select anonymous authentication, non-encryption, weak authentication, weak key exchange, weak symmetric key algorithms, or weak message authentication algorithm cipher suites in cryptographic protocols.
**Description**: Their use may compromise system security.
...
...
@@ -128,25 +128,25 @@ The following is an example of weak authentication:
RSA/DSA, with a key length less than 2048 bits
3-17 It is recommended that only ECDHE be used as the cipher suite of the key exchange algorithm
3-17 It is recommended that only ECDHE be used as the cipher suite of the key exchange algorithm.
3-18 Do not hardcode keys used for data encryption/decryption. Use the root key or other means for encryption, and protect the root key with a proper security mechanism (for example, hardcode only some key components)
3-18 Do not hardcode keys used for data encryption/decryption. Use the root key or other means for encryption, and protect the root key with a proper security mechanism (for example, hardcode only some key components).
**Description**: Hard-coded keys are likely to be cracked by reverse engineering.
3-19 It is recommended that the function design cover the working key update methods (such as manual or automatic key update) and update rules (online update, offline update, and update time, etc.)
3-19 It is recommended that the function design cover the working key update methods (such as manual or automatic key update) and update rules (online update, offline update, and update time, etc.).
**Description**: The longer a key is in use, the more likely it is to be cracked. The larger the amount of data encrypted using the key, the greater the chance for attackers to obtain ciphertext data as it is easier to analyze the ciphertexts encrypted using the same key. If the key is leaked, the loss incurred increases with its service period.
**Example**: The system generates new keys based on key generation rules, uses the old key to decrypt the data, uses the new key to encrypt the data again, and destroys the old key. In scenarios where mass data needs to be encrypted, consider reserving the old key to decrypt the old data and use the new key to encrypt the new data.
3-20 Key materials and components must be subject to strict access control (such as permission 600 or 400)
3-20 Key materials and components must be subject to strict access control (such as permission 600 or 400).
3-21 For keys saved in memory, overwrite the memory by other data (such as 0x00) before freeing it
3-21 For keys saved in memory, overwrite the memory by other data (such as 0x00) before freeing it.
## 4\. Sensitive Data Protection
4-1 Store authentication credentials such as passwords in ciphertext and apply access control
4-1 Store authentication credentials such as passwords in ciphertext and apply access control.
4-2 Use irreversible algorithms such as PBKDF2 for encryption in scenarios where authentication credentials do not need to be restored. HMAC (authentication credentials and salt values) can be used in scenarios where performance is sensitive and the security requirement is not high. (Note: Password and salt value locations can be exchanged.)
...
...
@@ -156,11 +156,11 @@ RSA/DSA, with a key length less than 2048 bits
- A salt value is a cryptographically secure random number generated by the system. The salt value has at least 16 bytes and is unique to each user.
- Avoid using HASH (user name\|\|password), HMAC (user name, password), and HASH (password XOR salt).
4-3 If sensitive data needs to be transmitted over untrusted networks, ensure that sensitive data is transmitted over secure paths or is transmitted after being encrypted
4-3 If sensitive data needs to be transmitted over untrusted networks, ensure that sensitive data is transmitted over secure paths or is transmitted after being encrypted.
4-4 For access to sensitive data, use appropriate security mechanisms (such as authentication, authorization, or encryption) based on risks. Files and directories containing sensitive data (for example, configuration files, log files, personal sensitive data files, user password files, key files, certificate files, drive files, and backup files) shall be accessible only to their owners or permitted users
4-4 For access to sensitive data, use appropriate security mechanisms (such as authentication, authorization, or encryption) based on risks. Files and directories containing sensitive data (for example, configuration files, log files, personal sensitive data files, user password files, key files, certificate files, drive files, and backup files) shall be accessible only to their owners or permitted users.
4-5 Filter out or shield authentication credentials in logs, debugging information, and error messages
4-5 Filter out or shield authentication credentials in logs, debugging information, and error messages.
## 5\. System Management and Maintenance Security
...
...
@@ -171,11 +171,11 @@ RSA/DSA, with a key length less than 2048 bits
- Login postponed
- Verification code required
5-2 By default, all the passwords entered by users on the GUI for system O\&M purposes are not displayed in plaintext
5-2 By default, all the passwords entered by users on the GUI for system O\&M purposes are not displayed in plaintext.
5-3 The password in a text box cannot be copied out
5-3 The password in a text box cannot be copied out.
5-4 Use appropriate security protocols, and disable insecure protocols by default
5-4 Use appropriate security protocols, and disable insecure protocols by default.
**Example**:
...
...
@@ -189,35 +189,35 @@ The following are examples of insecure protocols:
5-5 Do not assign a role to a new account or assign a role with the least privilege (for example, read only) by default in line with the principle of least privilege
5-5 Do not assign a role to a new account or assign a role with the least privilege (for example, read only) by default in line with the principle of least privilege.
**Description**: In this way, unauthorized users cannot but obtain the least privilege when the authorization mechanism is faulty or bypassed.
## 6\. Privacy Protection
6-1 Explicitly notify users and obtain their consent before collecting/using their personal data or forwarding the data to third parties
6-1 Explicitly notify users and obtain their consent before collecting/using their personal data or forwarding the data to third parties.
**Description**: It is to increase transparency and grant users more control over their data in compliance with laws and regulations such as GDPR.
6-2 Provide necessary security protection mechanisms (such as authentication, access control, and logging) for personal data collection, processing, and storage as required by normal services to prevent personal data from being disclosed, lost, or damaged
6-2 Provide necessary security protection mechanisms (such as authentication, access control, and logging) for personal data collection, processing, and storage as required by normal services to prevent personal data from being disclosed, lost, or damaged.
6-3 Describe the product functions involving user privacy in documentation, including the purpose, scope, method, and period of personal data processing, and require that the function should be used in compliance with local laws and regulations
6-3 Describe the product functions involving user privacy in documentation, including the purpose, scope, method, and period of personal data processing, and require that the function should be used in compliance with local laws and regulations.
**Description**: It is to increase transparency in compliance with laws and regulations such as GDPR.
6-4 Support filtering, anonymization, or pseudonymization for personal data to be displayed (for example, on UIs or in stored or exported files)
6-4 Support filtering, anonymization, or pseudonymization for personal data to be displayed (for example, on UIs or in stored or exported files).
**Description**: It is to reduce the risk of personal privacy breaches.
6-5 To prevent location tracking, do not identify precise locations of users for maintenance purposes (such as troubleshooting) unless it is explicitly required
6-5 To prevent location tracking, do not identify precise locations of users for maintenance purposes (such as troubleshooting) unless it is explicitly required.
**Description**: Precise location information is very sensitive, and is not needed in troubleshooting.
6-6 Collect personal data necessary for stated purposes in compliance with the data minimization principle. Comply with the data minimization principle when displaying personal data in fault diagnosis logs
6-6 Collect personal data necessary for stated purposes in compliance with the data minimization principle. Comply with the data minimization principle when displaying personal data in fault diagnosis logs.
**Description**: The display of personal data in fault diagnosis logs may arouse users' doubts. Therefore, personal data should not be displayed in fault diagnosis logs. If it has to be displayed (for example, for debugging purpose) anonymization is required.
6-7 In scenarios involving personal data processing, provide mechanisms to ensure that data subjects can query, update, and erase their personal data
6-7 In scenarios involving personal data processing, provide mechanisms to ensure that data subjects can query, update, and erase their personal data.
**Description**: It is to protect data subjects' rights.
The OpenHarmony community complies with the code of conduct specified in [Contributor Covenant](https://contributor-covenant.org/) of the open source community. For details, see [https://www.contributor-covenant.org/version/1/4/code-of-conduct/](https://www.contributor-covenant.org/version/1/4/code-of-conduct/).
The OpenHarmony community complies with the code of conduct specified in [Contributor Covenant](https://contributor-covenant.org/) of the open source community.
To report insults, harassment, or other unacceptable behavior, you can contact the OpenHarmony technical committee at contact@openharmony.io.
@@ -181,27 +181,29 @@ Save the settings and exit. The repo tool automatically pushes the local branch
The tool automatically associates the PR with the issue.
## Creating a Pull Request<a name="section28261522124316"></a>
## Creating a Pull Request
Access the fork repository on Gitee, click the button for creating a PR, and select the **myfeature** branch to generate a PR. \(Skip this step if a PR has been automatically created using the repo tool.\)
For details, visit [https://gitee.com/help/articles/4128](https://gitee.com/help/articles/4128).
>**How do I create PRs at the same time if multiple code repositories have compilation dependencies?**
>During the development of the operating system \(OS\), it is common that multiple code repositories have compilation dependencies. Therefore, the PRs need to be created and merged at the same time. For this reason, Gitee uses issues as the dependency identifiers for code repositories with compilation dependencies to commit the PRs. Follow the operations below:
>
>1. Create an issue in any of the code repositories.
>2. Associate PRs that need to be built and merged at the same time with the issue. For details, visit [https://gitee.com/help/articles/4142](https://gitee.com/help/articles/4142).
>3. After the build is triggered, the build center identifies the PRs associated with the same issue, downloads the build, and merges the PRs into the code library after the code is approved.
## Building Access Control<a name="section981124754415"></a>
## Building Access Control
## Creating an Issue<a name="section979820334458"></a>
## Creating an Issue
1. Go to the homepage of the repository.
2. Click the **Issues** tab in the upper left corner. Then, click the issue creation button on the right, and create a dedicated task as prompted to execute continuous integration \(CI\) access control for associated code \(feature development/bug fixing\).
## Associating the Issue with the PR<a name="section5470144853615"></a>
## Associating the Issue with the PR
When creating a PR or compiling an existing PR, enter **\#+I+_five-digit issue ID_** in the description box to associate the issue with the PR.
...
...
@@ -212,7 +214,7 @@ When creating a PR or compiling an existing PR, enter **\#+I+_five-digit issue
- Among the PRs associated with the issue, no PR that has been merged or closed is allowed. Otherwise, the CI cannot be triggered.
- If an issue has been associated with a merged or closed PR, the issue cannot be reused. In this case, create another issue and associate it with an open PR.
@@ -76,7 +76,7 @@ Members in the Docs SIG or document contributors should cooperate with each serv
To know feature and release plans of a release, you can attend the meeting [SIG Release](https://gitee.com/openharmony/release-management/blob/master/README.md) held on Friday every two weeks. Understand the release progress, requirement delivery progress, and document delivery progress.
You can also view feature requirements of a release in [OpenHarmony Roadmap](https://gitee.com/openharmony/release-management/blob/master/OpenHarmony-RoadMap.md). You can select feature issues marked with SIG_Docs and associated document PRs.
### Reviewing Chinese Documents Submitted in PRs
...
...
@@ -109,7 +109,7 @@ When reviewing a feature document, you are advised to provide review suggestions
- When a Markdown page is deleted or a Markdown page name is changed, ensure that:
- The page does not affect links in other documents in the community. You are advised to check the links locally.
- The contents in the **README** file is updated.
- The contents in the **README** file are updated.
For more detailed specifications, see [Writing Instructions](writing-instructions.md).
@@ -37,12 +37,12 @@ For easier maintenance and evolution, comply with the following principles when
9. If you need to modify the software, place the new code in the software repository and ensure that the new code meets the license requirements of the software. Retain the original license for the modified files, and use the same license for the new files (recommended).
10. Provide the **README.OpenSource** file in the root directory of the software repository. Include the following information in the file: software name, license, license file location, version, upstream community address of the corresponding version, software maintenance owner, function description, and introduction reason.
11. Make sure the software you introduce is under the custody of a domain SIG. In principle, the SIG-Architecture will deny the introduction of a piece of software without the confirmation of the SIG-Compliance and the corresponding domain SIG. When introducing multiple pieces of software at a time, you can ask the PMC to hold a temporary review meeting between SIGs for faster introduction. If you want to introduce a piece of software but fail to meet the preceding requirements, send an email to oh-legal@openatom.io.
12. When software introduction depends on other dependency software, it is not allowed to nest the dependency software in the subdirectory of the software introduction, and all dependency softwares must be placed in separate repository, and name it in the format of **third_party_*****softwareName***, because nested placement of dependency software may lead to multiple versions of the same software, old versions of security vulnerabilities cannot be fixed in a timely, and will risk the opensource compliance issues.
- Dependency software are named in the compiled BUILD.gn with part name by prefixing the newly software introduction name, e.g. part_name = "software_introduction_name_dependency software_name".
12. When software introduction depends on other dependency software, it is not allowed to nest the dependency software in the subdirectory of the software introduction, and all dependency software must be placed in separate repository, and name it in the format of **third_party_*****softwareName***, because nested placement of dependency software may lead to multiple versions of the same software, old versions of security vulnerabilities cannot be fixed in a timely, and will risk the open-source compliance issues.
- Dependency software is named in the compiled **BUILD.gn** with part name by prefixing the new software introduction name, e.g. part_name = "software_introduction_name_dependency software_name".
- The inter-component dependencies between software introduction and dependency software are resolved via external_deps.
13. OpenHarmony's archiving directory requirements for third-party software introduction.
- If you don't have a really good reason to store it elsewhere and under one of the permitted licenses belongs in third_party.
- For the dedicated third-party software introduction which belongs to the specail devboard, and is is not suitable introduced into the OpenHarmony platform, you could apply to store it in the following locations, Naming it in the format of **softwareName**, where **softwareName** must be an official name, and create README.OpenSource description file in the corresponding directory; Creating BUILD.gn to build it independently to support the automatic collection of open source obligation declaration.
- For the dedicated third-party software introduction which belongs to the special devboard, and is not suitable introduced into the OpenHarmony platform, you could apply to store it in the following locations, Naming it in the format of **softwareName**, where **softwareName** must be an official name, and create the **README.OpenSource** description file in the corresponding directory; Creating **BUILD.gn** to build it independently to support the automatic collection of open source obligation declaration.
```
device/soc/$(SOC_COMPANY)/third_party
...
...
@@ -51,11 +51,11 @@ For easier maintenance and evolution, comply with the following principles when
```
14. Precompiled binary or toolchain used in the OpenHarmony, the following information needs to be provided.
- The source code corresponding to the pre-compiled binary or toolchain, which needs to store the corresponding source code in the OpenHarmony community, and provide the corresponding build guide, and provide open source obligation statement guide;
- The source code corresponding to the precompiled binary or toolchain, which needs to store the corresponding source code in the OpenHarmony community, and provide the corresponding build guide, and provide open source obligation statement guide;
- Third-party software introduction for precompiled binary or toolchain, need to meet the principles 1 ~ 13;
- The [prebuilt toolchain's description documentation](./prebuilts-readme-template.md): including source code acquisition address, build instructions, update methods, archived in the toolchain root directory with the toolchain build;
- The root directory corresponding to the pre-compiled binary or toolchain needs to provide notice file of the full open source obligation statement;
- If the precompiled binary files come from upstream service platform (e.g. npm packages, etc.). We need to provide the following information in the place where the binary is archived, first we need to provide a general description with the name **README**, include the following information: background description of the introduction and official website; next we need to provide a opensource obligation statement file with the name **NOTICE**, include the following information: software name, version, copyrights, and license information of every third-party open-source software.
- The root directory corresponding to the precompiled binary or toolchain needs to provide notice file of the full open source obligation statement;
- If the precompiled binary files come from upstream service platform (e.g. npm packages, etc.). We need to provide the following information in the place where the binary is archived, first we need to provide a general description with the name **README**, include the following information: background description of the introduction and official website; next we need to provide an open-source obligation statement file with the name **NOTICE**, include the following information: software name, version, copyrights, and license information of every third-party open-source software.
@@ -28,56 +28,59 @@ This document applies only to the OpenHarmony community. It is not applicable to
## Copyright and License Header
1. In principle, all files in the open-source repository must contain appropriate copyright and license header statements, except in the following scenarios:
* Adding the copyright and license header statement affects the functions of the file. For example, JSON files do not support comments, and therefore you should not add the copyright and license header to a JSON file.
* A file that is generated by the tool and contains the description indicating the automatic generation.
* A brief description file for users to read. Adding the copyright and license header affects the readability of the file, for example, **README**.
* Adding the copyright and license header statement affects the functions of the file. For example, JSON files do not support comments, and therefore you should not add the copyright and license header to a JSON file.
* A file that is generated by the tool and contains the description indicating the automatic generation.
* A brief description file for users to read. Adding the copyright and license header affects the readability of the file, for example, **README**.
2. The format of the copyright and license header is as follows:
```
Copyright (C) [Year of the first release]-[Year of the current release] [Copyright holder]
The license header is subject to the specific license content. Example:
Apache License Version 2.0 license header:
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
BSD 3-Clause license header:
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
```
Copyright (C) [Year of the first release]-[Year of the current release] [Copyright holder]
The license header is subject to the specific license content. Example:
Apache License Version 2.0 license header:
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
BSD 3-Clause license header:
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of
conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list
of conditions and the following disclaimer in the documentation and/or other materials
provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors may be used
to endorse or promote products derived from this software without specific prior written
permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
```
1. Redistributions of source code must retain the above copyright notice, this list of
conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list
of conditions and the following disclaimer in the documentation and/or other materials
provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors may be used
to endorse or promote products derived from this software without specific prior written
permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
```
3. The year in the copyright header indicates the year when the work is released. If this is the first release, enter [Year of the first release]. If this is not the first release, enter [Year of the first release]-[Year of the current release].
4. The copyright holder is a legal entity, which can be an individual or a company. If the copyright holder contributes code on behalf of a company, enter the legal entity of the company.
5. The license header information must be consistent with the license information of the open-source repository. If a file is a dual license, the license header must clearly describe the application conditions of each license and include the license header description defined by each license.
